If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Have Identity Certificate, can't use it
Hey everyone,
I have a valid DOD CA-11 identity certificate that doesn't expire for 2+ years. I do see it in the personal certificate store (certmgr.msc). My problem is that neither Outlook 2003 or IE 7 recognize it. Outlook 2003 popups a warning stating that my email account doesn't have a valid identity certificate and IE 7 won't send my credentials when trying to access some web sites. I can't find anything on how to troubleshoot this or how to reset my machine to start anew. Reformatting my machine is my last resort but I don't know if I will resort to this if I make it that far. Any help is appreciated. Thanks. |
Ads |
#2
|
|||
|
|||
Have Identity Certificate, can't use it
"spearenb" wrote in message
news I have a valid DOD CA-11 identity certificate that doesn't expire for 2+ years. I do see it in the personal certificate store (certmgr.msc). My problem is that neither Outlook 2003 or IE 7 recognize it. Outlook 2003 popups a warning stating that my email account doesn't have a valid identity certificate and IE 7 won't send my credentials when trying to access some web sites. I can't find anything on how to troubleshoot this or how to reset my machine to start anew. Reformatting my machine is my last resort but I don't know if I will resort to this if I make it that far. Did you actually *install* the cert into Outlook? In OL2002: Tools - Options - Security - Import With freemail certs from Thawte, I don't have to do this since the script in their HTML page handles the import. I let all my certs expire and removed them so I don't have anything to look at right now. Does the e-mail address specified in the cert match one of the e-mail addresses defined in an account in Outlook? |
#3
|
|||
|
|||
Have Identity Certificate, can't use it
"Vanguard" wrote: "spearenb" wrote in message news I have a valid DOD CA-11 identity certificate that doesn't expire for 2+ years. I do see it in the personal certificate store (certmgr.msc). My problem is that neither Outlook 2003 or IE 7 recognize it. Outlook 2003 popups a warning stating that my email account doesn't have a valid identity certificate and IE 7 won't send my credentials when trying to access some web sites. I can't find anything on how to troubleshoot this or how to reset my machine to start anew. Reformatting my machine is my last resort but I don't know if I will resort to this if I make it that far. Did you actually *install* the cert into Outlook? In OL2002: Tools - Options - Security - Import With freemail certs from Thawte, I don't have to do this since the script in their HTML page handles the import. I let all my certs expire and removed them so I don't have anything to look at right now. Does the e-mail address specified in the cert match one of the e-mail addresses defined in an account in Outlook? Yeah, the certificate is contained on a CAC card (smart card) and the card reader imported it into Outlook. Also, I do (did) have a certificate from ORC that was imported at one time... and it doesn't work either. I am less confident and not really worried about the ORC certificate though... |
#4
|
|||
|
|||
Have Identity Certificate, can't use it
"spearenb" wrote in message
... "Vanguard" wrote: "spearenb" wrote in message news I have a valid DOD CA-11 identity certificate that doesn't expire for 2+ years. I do see it in the personal certificate store (certmgr.msc). My problem is that neither Outlook 2003 or IE 7 recognize it. Outlook 2003 popups a warning stating that my email account doesn't have a valid identity certificate and IE 7 won't send my credentials when trying to access some web sites. I can't find anything on how to troubleshoot this or how to reset my machine to start anew. Reformatting my machine is my last resort but I don't know if I will resort to this if I make it that far. Did you actually *install* the cert into Outlook? In OL2002: Tools - Options - Security - Import With freemail certs from Thawte, I don't have to do this since the script in their HTML page handles the import. I let all my certs expire and removed them so I don't have anything to look at right now. Does the e-mail address specified in the cert match one of the e-mail addresses defined in an account in Outlook? Yeah, the certificate is contained on a CAC card (smart card) and the card reader imported it into Outlook. Also, I do (did) have a certificate from ORC that was imported at one time... and it doesn't work either. I am less confident and not really worried about the ORC certificate though... I don't know how a card reader can do anything by itself, so I don't see how a .pfx file on a flash card can do anything to import a certificate. Try following the import instructions at http://support.microsoft.com/kb/823503/en-us. When in Outlook under the Tools - Options - Security tab, is a cert listed in the drop-down listbox for "Default Setting"? When you click on the Settings button, do you see any certs listed? For IE, under Internet Options - Content - Certificates, are any listed there? Currently I only have one listed for the EFS cert (which cannot be used by IE for HTTPS or by an e-mail client). When using certmgr.msc, what purposes are listed for each cert you have installed? |
#5
|
|||
|
|||
Have Identity Certificate, can't use it
"Vanguard" wrote: I don't know how a card reader can do anything by itself, so I don't see how a .pfx file on a flash card can do anything to import a certificate. Try following the import instructions at http://support.microsoft.com/kb/823503/en-us. When using certmgr.msc, what purposes are listed for each cert you have installed? The reader is ActivCard Gold and it has 'register' functionality. This was the way I put it in the Personal/Certificates area of the certmgr.msc app. Speaking of which, properties for the certificate include the S/MIME signing with a Yes. When in Outlook under the Tools - Options - Security tab, is a cert listed in the drop-down listbox for "Default Setting"? When you click on the Settings button, do you see any certs listed? Yes, I do have an entry for this certificate. I was able to select it in the Change Security Settings window For IE, under Internet Options - Content - Certificates, are any listed there? Currently I only have one listed for the EFS cert (which cannot be used by IE for HTTPS or by an e-mail client). Yes, I see it in there. |
#6
|
|||
|
|||
Have Identity Certificate, can't use it
I read up some on the cert you mention having, like at
http://www.verisign.com/repository/cps/dod/ieca-cps.pdf. I don't see that it is used for SSL connects or for e-mail. Have you checked at the CA that issued the cert to make sure it hasn't been revoked? You statements in your first post make it appear that you think you still have a valid cert but that perhaps you are no longer employed with the DOD yet still think you can identify yourself from there. I don't know who is the CA for your cert. If it is Verisign cert, see if you can check its status at: Class 1 cert: https://digitalid.verisign.com/servi...ent/index.html ECA cert: https://eca.verisign.com/client/revoke.htm Did you check what the usages were listed for that cert? I found some articles at Verisign regarding support, like: http://www.verisign.com/support/eca-support/index.html http://www.verisign.com/verisign-bus...all/index.html http://www.verisign.com/support/digi...dev029379.html http://www.verisign.com/support/eca-support/index.html http://www.verisign.com/static/037901.pdf |
#7
|
|||
|
|||
Have Identity Certificate, can't use it
OK, I have some egg on my face here.....
After calling the DISA support line, I have found out that I ONLY have an ID certificate on my card. I don't have an email or encryption certificate. On the other hand, I was able to install my ORC certificates (meaning I remembered my passwords) so I have an ID and encryption certificate that I can use for email. I think my confusion is that the ID certificates from the different organizations are not the same. I thought the ID cert from DISA would be akin to the ID cert from ORC and therefore, be used for email. Anyway, Vanguard, thanks for your help. Case Closed. "Vanguard" wrote: I read up some on the cert you mention having, like at http://www.verisign.com/repository/cps/dod/ieca-cps.pdf. I don't see that it is used for SSL connects or for e-mail. Have you checked at the CA that issued the cert to make sure it hasn't been revoked? You statements in your first post make it appear that you think you still have a valid cert but that perhaps you are no longer employed with the DOD yet still think you can identify yourself from there. I don't know who is the CA for your cert. If it is Verisign cert, see if you can check its status at: Class 1 cert: https://digitalid.verisign.com/servi...ent/index.html ECA cert: https://eca.verisign.com/client/revoke.htm Did you check what the usages were listed for that cert? I found some articles at Verisign regarding support, like: http://www.verisign.com/support/eca-support/index.html http://www.verisign.com/verisign-bus...all/index.html http://www.verisign.com/support/digi...dev029379.html http://www.verisign.com/support/eca-support/index.html http://www.verisign.com/static/037901.pdf |
Thread Tools | |
Display Modes | |
|
|